CWE-476: NULL Pointer Dereference
Also known as: NPD, null deref, NPE, nil pointer dereference
The product dereferences a pointer that it expects to be valid but is NULL.
Last updated
Overview
CWE-476 (NULL Pointer Dereference) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
2,049 recorded CVEs are caused by CWE-476 (NULL Pointer Dereference), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 332 new CWE-476 CVEs have been recorded so far in 2026 (679 in 2025).
- CVE-2026-21525CISA KEV
Windows Remote Access Connection Manager Denial of Service Vulnerability
Medium · CVSS 6.9 · EPSS 91th2026-02-10 - CVE-2024-55193Critical · CVSS 9.8 · EPSS 41th2025-01-23
- CVE-2024-40493Critical · CVSS 9.8 · EPSS 51th2024-10-22
- CVE-2023-46427Critical · CVSS 9.8 · EPSS 62th2024-03-09
- CVE-2023-2840Critical · CVSS 9.8 · EPSS 47th2023-05-22
- CVE-2023-31129Critical · CVSS 9.8 · EPSS 47th2023-05-08
- CVE-2023-23087Critical · CVSS 9.8 · EPSS 54th2023-02-03
- CVE-2022-27567Critical · CVSS 9.8 · EPSS 40th2022-04-11
- CVE-2022-26097Critical · CVSS 9.8 · EPSS 40th2022-04-11
- CVE-2022-26096Critical · CVSS 9.8 · EPSS 40th2022-04-11
- CVE-2022-26095Critical · CVSS 9.8 · EPSS 40th2022-04-11
- CVE-2022-26094Critical · CVSS 9.8 · EPSS 40th2022-04-11
Showing 12 of 2,049 recorded CWE-476 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-476 vulnerabilitiesCommon consequences
What can happen when CWE-476 is exploited.
DoS: Crash, Exit, or Restart
Affects: Availability
NULL pointer dereferences usually result in the failure of the process unless exception handling (on some platforms) is available and implemented. Even when exception handling is being used, it can still be very difficult to return the software to a safe state of operation.
Execute Unauthorized Code or Commands, Read Memory, Modify Memory
Affects: Integrity, Confidentiality
In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-476, grouped by where in the lifecycle they apply.
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Select a programming language that is not susceptible to these issues.
Check the results of all functions that return a value and verify that the value is non-null before acting upon it.
Effectiveness: Moderate — Checking the return value of the function will typically be sufficient, however beware of race conditions (CWE-362) in a concurrent environment. This solution does not handle the use of improperly initialized variables (CWE-665).
Identify all variables and data stores that receive information from external sources, and apply input validation to make sure that they are only initialized to expected values.
Explicitly initialize all variables and other data stores, either during declaration or just before the first usage.
How to detect it
Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Effectiveness: Moderate
Manual Dynamic Analysis
Identify error conditions that are not likely to occur during normal usage and trigger them. For example, run the program under low memory conditions, run with insufficient privileges or permissions, interrupt a transaction before it is completed, or disable connectivity to basic network services such as DNS. Monitor the software for any unexpected behavior. If you trigger an unhandled exception or similar error that was discovered and handled by the application's environment, it may still indicate unexpected conditions that were not handled by the application itself.
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Automated Dynamic Analysis
Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Effectiveness: Moderate
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.
Vulnerable example
void host_lookup(char *user_supplied_addr){In the following code, the programmer assumes that the system always has a property named "cmd" defined. If an attacker can control the program's environment so that "cmd" is not defined, the program throws a NULL pointer exception when it attempts to call the trim() method.
Vulnerable example
String cmd = System.getProperty("cmd");This Android application has registered to handle a URL when sent an intent:
The application assumes the URL will always be included in the intent. When the URL is not present, the call to getStringExtra() will return null, thus causing a null pointer exception when length() is called.
Consider the following example of a typical client server exchange. The HandleRequest function is intended to perform a request and use a defer to close the connection whenever the function returns.
Vulnerable example
func HandleRequest(client http.Client, request *http.Request) (*http.Response, error) {Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2024-41130 — C++ library for LLM inference has NULL pointer dereference if a read operation fails
- CVE-2005-3274 — race condition causes a table to be corrupted if a timer activates while it is being modified, leading to resultant NULL dereference; also involves locking.
- CVE-2002-1912 — large number of packets leads to NULL dereference
- CVE-2005-0772 — packet with invalid error status value triggers NULL dereference
- CVE-2009-4895 — Chain: race condition for an argument value, possibly resulting in NULL dereference
- CVE-2020-29652 — ssh component for Go allows clients to cause a denial of service (nil pointer dereference) against SSH servers.
- CVE-2009-2692 — Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476).
- CVE-2009-3547 — Chain: race condition (CWE-362) might allow resource to be released before operating on it, leading to NULL dereference (CWE-476)
- CVE-2009-3620 — Chain: some unprivileged ioctls do not verify that a structure has been initialized before invocation, leading to NULL dereference
- CVE-2009-2698 — Chain: IP and UDP layers each track the same value with different mechanisms that can get out of sync, possibly resulting in a NULL dereference
- CVE-2009-2692 — Chain: Use of an unimplemented network socket operation pointing to an uninitialized handler function (CWE-456) causes a crash because of a null pointer dereference (CWE-476)
- CVE-2009-0949 — Chain: improper initialization of memory can lead to NULL dereference
- CVE-2008-3597 — Chain: game server can access player data structures before initialization has happened leading to NULL dereference
- CVE-2020-6078 — Chain: The return value of a function returning a pointer is not checked for success (CWE-252) resulting in the later use of an uninitialized variable (CWE-456) and a null pointer dereference (CWE-476)
- CVE-2008-0062 — Chain: a message having an unknown message type may cause a reference to uninitialized memory resulting in a null pointer dereference (CWE-476) or dangling pointer (CWE-825), possibly crashing the system or causing heap corruption.
- CVE-2008-5183 — Chain: unchecked return value can lead to NULL dereference
- CVE-2004-0079 — SSL software allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.
- CVE-2004-0365 — Network monitor allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.
- CVE-2003-1013 — Network monitor allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference.
- CVE-2003-1000 — Chat client allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference.
- CVE-2004-0389 — Server allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference.
- CVE-2004-0119 — OS allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted request during authentication protocol selection.
- CVE-2004-0458 — Game allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference.
- CVE-2002-0401 — Network monitor allows remote attackers to cause a denial of service (crash) or execute arbitrary code via malformed packets that cause a NULL pointer dereference.
- CVE-2001-1559 — Chain: System call returns wrong value (CWE-393), leading to a resultant NULL dereference (CWE-476).
Terminology & mappings
Alternate terms
- NPD
- Common abbreviation for Null Pointer Dereference
- null deref
- Common abbreviation for Null Pointer Dereference
- NPE
- Common abbreviation for Null Pointer Exception
- nil pointer dereference
- used for access of nil in Go programs
Mapped taxonomies
- 7 Pernicious Kingdoms: Null Dereference
- CLASP: Null-pointer dereference
- PLOVER: Null Dereference (Null Pointer Dereference)
- OWASP Top Ten 2004: Denial of Service (A9) — CWE More Specific fit
- CERT C Secure Coding: Do not dereference null pointers (EXP34-C) — Exact fit
- Software Fault Patterns: Faulty Pointer Use (SFP7)
Frequently asked questions
Common questions about CWE-476.
- What is CWE-476?
- The product dereferences a pointer that it expects to be valid but is NULL.
- What CVEs are caused by CWE-476?
- 2,049 recorded CVEs are attributed to CWE-476, including CVE-2026-21525, CVE-2024-55193, CVE-2024-40493. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Is CWE-476 part of the OWASP Top 10?
- CWE-476 maps to OWASP Top Ten 2004: Denial of Service (A9) in the OWASP security taxonomy.
- How do you prevent CWE-476?
- For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
- How is CWE-476 detected?
- Automated Dynamic Analysis: This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
- What are the consequences of CWE-476?
- Exploiting CWE-476 can lead to: DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Read Memory, Modify Memory.
- Is CWE-476 actively exploited?
- Yes. 1 CWE-476 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 2,049 recorded CVEs.
References
- MITRE CWE definition (CWE-476) (opens in a new tab)
- CWE-476 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-476
Get alerted the moment a new CWE-476 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.